Printers connected to Windows computers infected with new variants of a malware program called Trojan.Milicenso, will automatically print out pages full of garbled data, according to security researchers from antivirus firm Symantec.
On June 9, the SANS Internet Storm Center (ISC) reported about recently observed print bomb attacks that involved printers automatically printing what seemed to be the contents of an executable file.
The SANS ISC’s experts obtained a copy of the printed file and determined that it was a part of an adware program — a program designed to display ads without authorization — detected by some antivirus products as Adware.Eorezo.
Security researchers from Symantec also investigated reports of unauthorized printouts and found that the Adware.Eorezo file was being dropped on affected computers by new variants of Trojan.Milicenso.
Trojan.Milicenso first appeared in 2010, but a new outbreak has been recorded during the past two weeks, Symantec’s security response team said in a blog post on Thursday. “Our telemetry data has shown the worst hit regions were the US and India followed by regions in Europe and South America.”
The Symantec researchers believe that Adware.Eorezo, which redirects users to French-language website, is being used by Trojan.Milicenso as a decoy to distract attention from itself.
Trojan.Milicenso is distributed in several ways: as a malicious e-mail attachment, as a drive-by download launched from compromised websites or as a fake codec advertised by social engineering scams, the Symantec researchers said.
After it infects a computer, the malware drops a copy of Aware.Eorezo as a randomly named .spl file (Windows Printer Spool File) in the default Windows printer spool directory — %SystemRoot%system32spoolprinters. Despite the .spl extension, the rogue file is actually an executable one.
The spool directory temporarily holds copies of files that printers are scheduled to print. Even though some printers allow users to specify a custom spool directory, many configurations use the default Windows one.
This causes printers attached to computers infected with new Trojan.Milicenso variants to automatically print the contents of the rogue .spl file, sometimes until their paper runs out.
“Based on what we have discovered so far, the garbled printouts appear to be a side effect of the infection vector rather an intentional goal of the author,” the Symantec researchers said.
On Thursday, researchers from SANS ISC discovered a new variant of this Trojan program with a very reduced antivirus detection rate, suggesting that the
Users who observe this type of unauthorized printer behavior are advised to scan their computers with an antivirus program capable of detecting and removing Trojan.Milicenso and Aware.Eorezo.